From: OhioHondo (ohiohondo@columbus.rr.com)
Date: Fri Dec 27 2002 - 02:56:58 GMT-3
Janto
As I understand it with help from others, you don't need
(and it is not used BUT it doesn't cause problems))
R2
Area 12 virtual-link 192.168.1.1 authentication message-digest
Your configuration works as it is.
-----Original Message-----
From: Janto Cin [mailto:jantocin@datacomm.co.id]
Sent: Thursday, December 26, 2002 10:13 PM
To: 'OhioHondo'
Cc: ccielab@groupstudy.com
Subject: RE: Help me pls with OSPF authentication.
All,
I posted a weeks ago.
(lo0)R1(e0)---------(e0)R2(lo0)
R1(e0)---(e0)R2 -> Area 12
R1(lo0) -> Area 1
R2(lo0) -> Area 0
R1
------
Area 12 virtual-link 192.168.2.2 authentication message-digest
Area 12 virtual-link 192.168.2.2 message-digest-key 1 md5 cisco
R2
------
Area 0 authentication message-digest
Area 12 virtual-link 192.168.1.1 authentication message-digest
Area 12 virtual-link 192.168.1.1 message-digest-key 1 md5 cisco
We don't have to put 'area 0 authentication message-digest' in R1.
Correct me if I'm wrong.
Janto
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
OhioHondo
Sent: Friday, December 27, 2002 7:03 AM
To: Brian McGahan; 'Lysyuk Andrew'
Cc: ccielab@groupstudy.com
Subject: RE: Help me pls with OSPF authentication.
Brian/Kym
I did not have any authenticatio specified for area 0. (Since I did not
have any area 0 links defined in my config I overlooked that.) I changed
area 0 to require authentication and now it works as advertised!!
Brian -- thank you for the clarification on what is considered interface
authentication using virtual links.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brian McGahan
Sent: Thursday, December 26, 2002 6:06 PM
To: 'Jerry Haverkos'; 'Lysyuk Andrew'
Cc: ccielab@groupstudy.com
Subject: RE: Help me pls with OSPF authentication.
Jerry,
There are two types of authentication in OSPF, area and
interface. If area authentication is enabled, all interfaces which have
adjacencies on them must authenticate. A virtual-link *is* an area 0
interface, therefore if you have a virtual-link, and are authenticating
area 0, you must authenticate the virtual-link.
Interface authentication is independent of area authentication,
and interface authentication overrides area authentication. This means
that you could be using clear-text authentication throughout and area,
and implement md5 authentication on a particular link within that area.
In the case that you have presented, interface authentication is enabled
on the virtual-link. This is a perfectly valid configuration.
If in your example you had said 'area 0 authentication', the
remote router where the virtual-link terminates would also have to say
'area 0 authentication'. It is not completely necessary that you
configure a key on the interface (or virtual-link in this case). OSPF
authentication uses a "null" key by default. Practically, security
through obscurity is not a very safe practice, therefore you should
configure a key on each interface which is authenticating.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jerry Haverkos
> Sent: Thursday, December 26, 2002 2:42 PM
> To: 'Lysyuk Andrew'
> Cc: ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
> Lysuk
>
> I am on IOS 12.1.13 and my configs show no correlation between
> authentication of area 0 and authentication on the virtual link. The
> following are excerpts from my configs on the router that houses area
0
> and
> participates as part of the virtual link in my network. They show that
> there is no correlation in my network.
>
> 3640-1_R1#sho ip ospf virtual-links
> Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 4, via interface Serial1/0.4, Cost of using 781
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:05
> Adjacency State FULL (Hello suppressed)
> Index 1/4, retransmission queue length 0, number of retransmission
1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> Youngest key id is 1
>
>
> Note -- on the router there is only one interface in area 0 and it
does
> not
> specify authentication
>
> 3640-1_R1#
> router ospf 100
> router-id 0.0.0.1
> log-adjacency-changes
> no discard-route internal
> area 0 range 149.1.254.0 255.255.255.0
> area 0 range 149.1.0.0 255.255.0.0
> area 1 range 149.1.1.0 255.255.255.0
> area 2 authentication message-digest
> area 2 stub no-summary
> area 2 range 149.1.2.0 255.255.255.0
> area 4 range 149.1.4.0 255.255.255.0
> area 4 virtual-link 0.0.0.4 authentication message-digest area 4
> virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies area 5
> authentication message-digest area 5 nssa no-summary
> area 5 range 149.1.5.0 255.255.255.0
> summary-address 17.0.0.0 255.0.0.0 not-advertise
> network 149.1.1.0 0.0.0.255 area 1
> network 149.1.2.0 0.0.0.255 area 2
> network 149.1.4.0 0.0.0.255 area 4
> network 149.1.5.0 0.0.0.255 area 5
> network 149.1.254.254 0.0.0.0 area 0
> neighbor 149.1.2.254
> neighbor 149.1.4.254
> neighbor 149.1.5.254
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Justin Menga
> Sent: Thursday, December 26, 2002 1:11 AM
> To: Jude Servi; 'Robert Slaski'; 'Manish Gupta'
> Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Also, if you enable authentication for a virtual link, you must also
> ensure area 0 has authentication enabled:
>
> router ospf 1
> area 0 authentication
> area 1 virtual-link .....
>
> Regards,
> Justin
>
> -----Original Message-----
> From: Jude Servi [mailto:jservi@cisco.com]
> Sent: Wednesday, December 25, 2002 12:36 PM
> To: 'Robert Slaski'; 'Manish Gupta'
> Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Don't forget to add authentication to a virtual link if needed.
Example
> for
> md5 auth:
>
> router ospf 1
> area # virtual-link <neighbor ip addr> authentication message-digest
> message-digest-key # <key>
>
> Jude
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Robert Slaski
> Sent: Saturday, December 21, 2002 11:16 AM
> To: Manish Gupta
> Cc: Lysyuk Andrew; ccielab@groupstudy.com
> Subject: Re: Help me pls with OSPF authentication.
>
>
> Manish Gupta wrote:
> > I always prefer
> >
> > Under router ospf x
> > area x authentication (plain or MD5)
> >
> > Under interface:
> > ip opsf authetication <password> if plain
>
> You meant 'ip ospf authentication-key' I think, but this does not
answer
>
> the Andrew's question.
>
> There are two authentication types available in OSPF: per area and per
> interface, if both are configured then per interface authentication
> takes precedence. Both have plain-text and MD5 checksum variants.
>
> Per area:
> 1. enable area authentication
> (config-router)# area <area> authentication [message-digest] 2. setup
> keys (this should be done on each area interface)
> (config-if)# ip ospf authentication-key <text> # for plain text
> or
> (config-if)# ip ospf message-digest-key <key_id> md5 0 <text> # for
MD5
>
> Per interface:
> 1. enable interface authentication
> (config-if)# ip ospf authentication [message-digest | null] 2. setup
> keys (same as above)
>
> mikrobi,
> --
> .
> .
.
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:53 GMT-3